3.0.0.0

Version 3.0.0 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 3.0.0

Breaking Changes

• Fix Blake2b hash implementation (#5089)
• Remove OpenSSL provider (#5220)
• Remove whitelist settings in favor of allowlist (#5224)

Enhancements

• Optimized Privilege Evaluation (#4380)
• Add support for CIDR ranges in ignore_hosts setting (#5099)
• Add 'good' as a valid value for plugins.security.restapi.password_score_based_validation_strength (#5119)
• Adding stop-replication permission to index_management_full_access (#5160)
• Replace password generator step with a secure password generator action (#5153)
• Run Security build on image from opensearch-build (#4966)

Bug Fixes

• Fix version matcher string in demo config installer (#5157)
• Escape pipe character for injected users (#5175)
• Assume default of v7 models if _meta portion is not present (#5193))
• Fixed IllegalArgumentException when building stateful index privileges (#5217)
• DlsFlsFilterLeafReader::termVectors implementation causes assertion errors for users with FLS/FM active (#5243)
• Only check validity of certs in the chain of the node certificates (#4979)
• Corrections in DlsFlsFilterLeafReader regarding PointVales and object valued attributes (#5304)

Maintenance

• Update AuditConfig.DEPRECATED_KEYS deprecation message to match 4.0 (#5155)
• Update deprecation message for _opendistro/_security/kibanainfo API (#5156)
• Update DlsFlsFilterLeafReader to reflect Apache Lucene 10 API changes (#5123)
• Adapt to core changes in SecureTransportParameters (#5122)
• Format SSLConfigConstants.java and fix typos (#5145)
• Remove typo in AbstractAuditlogUnitTest (#5130)
• Update Andriy Redko's affiliation (#5133)
• Upgrade common-utils version to 3.0.0.0-alpha1-SNAPSHOT (#5137)
• Bump Spring version (#5173)
• Bump org.checkerframework:checker-qual from 3.49.0 to 3.49.2 (#5162) (#5247)
• Bump org.mockito:mockito-core from 5.15.2 to 5.17.0 (#5161) (#5248)
• Bump org.apache.camel:camel-xmlsecurity from 3.22.3 to 3.22.4 (#5163)
• Bump ch.qos.logback:logback-classic from 1.5.16 to 1.5.17 (#5149)
• Bump org.awaitility:awaitility from 4.2.2 to 4.3.0 (#5126)
• Bump org.springframework.kafka:spring-kafka-test from 3.3.2 to 3.3.4 (#5125) (#5201)
• Bump org.junit.jupiter:junit-jupiter from 5.11.4 to 5.12.2 (#5127) (#5269)
• Bump Gradle to 8.13 (#5148)
• Bump Spring version to fix CVE-2024-38827 (#5173)
• Bump com.google.guava:guava from 33.4.0-jre to 33.4.6-jre (#5205) (#5228)
• Bump ch.qos.logback:logback-classic from 1.5.17 to 1.5.18 (#5204)
• Bump spring_version from 6.2.4 to 6.2.5 (#5203)
• Bump bouncycastle_version from 1.78 to 1.80 (#5202)
• remove java version check for reflection args in build.gradle (#5218)
• Improve coverage: Adding tests for ConfigurationRepository class (#5206)
• Refactor InternalAuditLogTest to use Awaitility (#5214)
• Bump com.google.googlejavaformat:google-java-format from 1.25.2 to 1.26.0 (#5231)
• Bump open_saml_shib_version from 9.1.3 to 9.1.4 (#5230)
• Bump com.carrotsearch.randomizedtesting:randomizedtesting-runner from 2.8.2 to 2.8.3 (#5229)
• Bump open_saml_version from 5.1.3 to 5.1.4 (#5227)
• Bump org.ow2.asm:asm from 9.7.1 to 9.8 (#5244)
• Bump com.netflix.nebula.ospackage from 11.11.1 to 11.11.2 (#5246)
• Bump com.google.errorprone:error_prone_annotations from 2.36.0 to 2.37.0 (#5245)
• More tests for FLS and field masking (#5237)
• Migrate from com.amazon.dlic to org.opensearch.security package (#5223)
• Fix compilation issue after Secure gRPC PR (#17796) merged into core (#5263)
• Bump commons-io:commons-io from 2.18.0 to 2.19.0 (#5267)
• Bump org.apache.commons:commons-text from 1.13.0 to 1.13.1 (#5266)
• Bump org.junit.jupiter:junit-jupiter-api from 5.12.1 to 5.12.2 (#5268)
• Bump com.google.guava:failureaccess from 1.0.2 to 1.0.3 (#5265)

3.0.0.0-beta1

Version 3.0.0-beta1 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 3.0.0-beta1

Breaking Changes

• Fix Blake2b hash implementation (#5089)
• Remove OpenSSL provider (#5220)
• Remove whitelist settings in favor of allowlist (#5224)

Enhancements

• Optimized Privilege Evaluation (#4380)
• Add support for CIDR ranges in ignore_hosts setting (#5099)
• Add 'good' as a valid value for plugins.security.restapi.password_score_based_validation_strength (#5119)
• Adding stop-replication permission to index_management_full_access (#5160)
• Replace password generator step with a secure password generator action (#5153)
• Run Security build on image from opensearch-build (#4966)

Bug Fixes

• Fix version matcher string in demo config installer (#5157
• Escape pipe character for injected users (#5175)
• Assume default of v7 models if _meta portion is not present (#5193)
• Fixed IllegalArgumentException when building stateful index privileges (#5217
• DlsFlsFilterLeafReader::termVectors implementation causes assertion errors for users with FLS/FM active (#5243

Maintenance

• Update AuditConfig.DEPRECATED_KEYS deprecation message to match 4.0 (#5155)
• Update deprecation message for _opendistro/_security/kibanainfo API (#5156)
• Update DlsFlsFilterLeafReader to reflect Apache Lucene 10 API changes (#5123)
• Adapt to core changes in SecureTransportParameters (#5122)
• Format SSLConfigConstants.java and fix typos (#5145)
• Remove typo in AbstractAuditlogUnitTest (#5130)
• Update Andriy Redko's affiliation (#5133)
• Upgrade common-utils version to 3.0.0.0-alpha1-SNAPSHOT (#5137)
• Bump Spring version (#5173)
• Bump org.checkerframework:checker-qual from 3.49.0 to 3.49.2 (#5162) (#5247)
• Bump org.mockito:mockito-core from 5.15.2 to 5.17.0 (#5161) (#5248)
• Bump org.apache.camel:camel-xmlsecurity from 3.22.3 to 3.22.4 (#5163)
• Bump ch.qos.logback:logback-classic from 1.5.16 to 1.5.17 (#5149)
• Bump org.awaitility:awaitility from 4.2.2 to 4.3.0 (#5126)
• Bump org.springframework.kafka:spring-kafka-test from 3.3.2 to 3.3.4 (#5125) (#5201)
• Bump org.junit.jupiter:junit-jupiter from 5.11.4 to 5.12.0 (#5127)
• Bump Gradle to 8.13 (#5148)
• Bump Spring version to fix CVE-2024-38827 (#5173)
• Bump com.google.guava:guava from 33.4.0-jre to 33.4.6-jre (#5205) (#5228)
• Bump ch.qos.logback:logback-classic from 1.5.17 to 1.5.18 (#5204)
• Bump spring_version from 6.2.4 to 6.2.5 (#5203)
• Bump bouncycastle_version from 1.78 to 1.80 (#5202)
• remove java version check for reflection args in build.gradle (#5218)
• Improve coverage: Adding tests for ConfigurationRepository class (#5206)
• Refactor InternalAuditLogTest to use Awaitility (#5214)
• Bump com.google.googlejavaformat:google-java-format from 1.25.2 to 1.26.0 (#5231)
• Bump open_saml_shib_version from 9.1.3 to 9.1.4 (#5230)
• Bump com.carrotsearch.randomizedtesting:randomizedtesting-runner from 2.8.2 to 2.8.3 (#5229)
• Bump open_saml_version from 5.1.3 to 5.1.4 (#5227)
• Bump org.ow2.asm:asm from 9.7.1 to 9.8 (#5244)
• Bump com.netflix.nebula.ospackage from 11.11.1 to 11.11.2 (#5246)
• Bump com.google.errorprone:error_prone_annotations from 2.36.0 to 2.37.0 (#5245)
• More tests for FLS and field masking (#5237)
• Migrate from com.amazon.dlic to org.opensearch.security package (#5223)

3.0.0.0-alpha1

Version 3.0.0-alpha1 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 3.0.0-alpha1

Breaking Changes

• Optimized Privilege Evaluation (#4380)
• Fix Blake2b hash implementation (#5089)

Enhancements

• Add support for CIDR ranges in ignore_hosts setting (#5099)
• Add 'good' as a valid value for plugins.security.restapi.password_score_based_validation_strength (#5119)
• Adding stop-replication permission to index_management_full_access (#5160)
• Replace password generator step with a secure password generator action (#5153)

Bug Fixes

• Fix version matcher string in demo config installer (#5157)

Maintenance

• Update AuditConfig.DEPRECATED_KEYS deprecation message to match 4.0 (#5155)
• Update deprecation message for _opendistro/_security/kibanainfo API (#5156)
• Update DlsFlsFilterLeafReader to reflect Apache Lucene 10 API changes (#5123)
• Adapt to core changes in SecureTransportParameters (#5122)
• Format SSLConfigConstants.java and fix typos (#5145)
• Remove typo in AbstractAuditlogUnitTest (#5130)
• Update Andriy Redko's affiliation (#5133)
• Upgrade common-utils version to 3.0.0.0-alpha1-SNAPSHOT (#5137)
• Bump Spring version (#5173)
• Bump org.checkerframework:checker-qual from 3.49.0 to 3.49.1 (#5162)
• Bump org.mockito:mockito-core from 5.15.2 to 5.16.0 (#5161)
• Bump org.apache.camel:camel-xmlsecurity from 3.22.3 to 3.22.4 (#5163)
• Bump ch.qos.logback:logback-classic from 1.5.16 to 1.5.17 (#5149)
• Bump org.awaitility:awaitility from 4.2.2 to 4.3.0 (#5126)
• Bump org.springframework.kafka:spring-kafka-test from 3.3.2 to 3.3.3 (#5125)
• Bump org.junit.jupiter:junit-jupiter from 5.11.4 to 5.12.0 (#5127)
• Bump Gradle to 8.13 (#5148)
• Bump Spring version to fix CVE-2024-38827 (#5173)

2.19.1.0

Version 2.19.1 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 2.19.1

Bug Fixes

• Fix ssl hot reload settings (#5117)

2.19.0.0

Version 2.19.0 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 2.19.0

Enhancements

• Allow skipping hot reload dn validation (#4839)
• Add validation of authority certificates (#4862)
• Add support for certificates hot reload (#4880)
• Optimize privilege evaluation for index permissions across '*' index pattern (i.e. all_access role) (#4926)
• Refactor SafeSerializationUtils for better performance (#4977)
• Optimized Privilege Evaluation: Action privileges ONLY, with feature flag (#4998)
• Implement new extension points in IdentityPlugin and add ContextProvidingPluginSubject (#5028)
• Implement new extension points in IdentityPlugin and add ContextProvidingPluginSubject - legacy authz code path (#5037)
• Ensure that plugin can search on system index when utilizing pluginSubject.runAs (#5032)
• Ensure that plugin can update on system index when utilizing pluginSubject.runAs (#5055)
• add ingest pipeline and indices related permissions for anomaly_full_access role (#5069)
• Added roles for ltr read and full access (#5070)

Bug Fixes

• Fix issue with jwt attribute parsing of lists (#4885)
• Log io.netty.internal.tcnative.SSLContext availability warning only when OpenSSL is explicitly enabled but not available (#4906)
• Reduce log level in HttpJwtAuthenticator if request cannot be authenticated (#4917)
• Honor log_request_body setting in compliance audit log (#4918)
• Change log level for log line in OBO Authenticator if OBO is disabled (#4956)
• Set default value for key/trust store type as constant for JDK PKCS setup (#5003)
• Fix SSL config for JDK PKCS setup (#5033)
• Fix Netty4 header verifier inbound handler to deal with upgrade requests (#5045)
• Generate jacoco report for integTestRemote task (#5050)

Maintenance

• Bump org.junit.jupiter:junit-jupiter-api from 5.11.2 to 5.11.3 (#4856)
• Bump ch.qos.logback:logback-classic from 1.5.11 to 1.5.12 (#4857)
• Bump com.google.errorprone:error_prone_annotations from 2.34.0 to 2.35.1 (#4850)
• Bump org.junit.jupiter:junit-jupiter from 5.11.2 to 5.11.3 (#4861)
• Bump Wandalen/wretry.action from 3.5.0 to 3.7.0 (#4874)
• Bump org.checkerframework:checker-qual from 3.48.1 to 3.48.2 (#4875)
• Bump com.nimbusds:nimbus-jose-jwt from 9.41.2 to 9.45 (#4876)
• Bump com.nimbusds:nimbus-jose-jwt from 9.45 to 9.46 (#4890)
• Bump Wandalen/wretry.action from 3.7.0 to 3.7.2 (#4891)
• Bump Zookeeper to 3.9.3 (#4895)
• Bump com.nimbusds:nimbus-jose-jwt from 9.46 to 9.47 (#4916)
• Update Gradle to 8.11 (#4922)
• Update Gradle to 8.11.1 (#4925)
• Bump com.google.googlejavaformat:google-java-format from 1.24.0 to 1.25.0 (#4933)
• Bump Wandalen/wretry.action from 3.7.2 to 3.7.3 (#4932)
• Bump commons-io:commons-io from 2.17.0 to 2.18.0 (#4935)
• Bump io.dropwizard.metrics:metrics-core from 4.2.28 to 4.2.29 (#4941)
• Fix typos (#4951)
• Bump com.carrotsearch.randomizedtesting:randomizedtesting-runner from 2.8.1 to 2.8.2 (#4962)
• Bump org.checkerframework:checker-qual from 3.48.2 to 3.48.3 (#4958)
• Bump org.eclipse.platform:org.eclipse.core.runtime from 3.31.100 to 3.32.0 (#4964)
• Bump org.apache.commons:commons-text from 1.12.0 to 1.13.0 (#4971)
• Bump com.google.googlejavaformat:google-java-format from 1.25.0 to 1.25.2 (#4972)
• Bump org.junit.jupiter:junit-jupiter from 5.11.3 to 5.11.4 (#4985)
• Bump com.nimbusds:nimbus-jose-jwt from 9.47 to 9.48 (#4986)
• Bump com.netflix.nebula.ospackage from 11.10.0 to 11.10.1 (#4987)
• Bump ch.qos.logback:logback-classic from 1.5.12 to 1.5.15 (#4989)
• Bump org.apache.camel:camel-xmlsecurity from 3.22.2 to 3.22.3 (#4996)
• Bump org.apache.santuario:xmlsec from 2.3.4 to 2.3.5 (#5008)
• Bump ch.qos.logback:logback-classic from 1.5.15 to 1.5.16 (#5009)
• Update Gradle to 8.12 (#5018)
• Bump commons-codec:commons-codec from 1.17.1 to 1.17.2 (#5024)
• Bump org.scala-lang:scala-library from 2.13.15 to 2.13.16 (#5026)
• Bump Wandalen/wretry.action from 3.7.3 to 3.8.0 (#5025)
• Bumps guava to 33.4.0-jre (#5041)
• Bump io.dropwizard.metrics:metrics-core from 4.2.29 to 4.2.30 (#5043)
• Remove deprecation comment for protected indices settings (#5059)
• Bump org.gradle.test-retry from 1.6.0 to 1.6.1 (#5060)

1.3.20.0

Version 1.3.20.0

Compatible with OpenSearch 1.3.20

Maintenance

• Update commons-io to 2.18.0 (#4944)
• Bump spring-framework dependency to 2.9.13 (#4947)

2.18.0.0

Version 2.18.0 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 2.18.0

Enhancements

• Improve error message when a node with an incorrectly configured certificate attempts to connect (#4819)
• Support datastreams as an AuditLog Sink (#4756)
• Auto-convert V6 configuration instances into V7 configuration instances (for OpenSearch 2.x only) (#4753)
• Add can trip circuit breaker override (#4779)
• Adding index permissions for remote index in AD (#4721)
• Fix env var password hashing for PBKDF2 (#4778)
• Add ensureCustomSerialization to ensure that headers are serialized correctly with multiple transport hops (#4741)

Bug Fixes

• Handle non-flat yaml settings for demo configuration detection (#4798)
• Fix bug where admin can read system index (#4775)
• Ensure that dual mode enabled flag from cluster settings can get propagated to core (#4830)
• Remove failed login attempt for saml authenticator (#4770)
• Fix issue in HashingStoredFieldVisitor with stored fields (#4827)
• Fix issue with Get mappings on a Closed index (#4777)
• changing comments permission for alerting_ack_alerts role (#4723)
• Fixed use of rolesMappingConfiguration in InternalUsersApiActionValidationTest (#4754)
• Use evaluateSslExceptionHandler() when constructing OpenSearchSecureSettingsFactory (#4726)

Maintenance

• Bump gradle to 8.10.2 (#4829)
• Bump ch.qos.logback:logback-classic from 1.5.8 to 1.5.11 (#4807) (#4825)
• Bump org.passay:passay from 1.6.5 to 1.6.6 (#4824)
• Bump org.junit.jupiter:junit-jupiter from 5.11.0 to 5.11.2 (#4767) (#4811)
• Bump io.dropwizard.metrics:metrics-core from 4.2.27 to 4.2.28 (#4789)
• Bump com.nimbusds:nimbus-jose-jwt from 9.40 to 9.41.2 (#4737) (#4787)
• Bump org.ow2.asm:asm from 9.7 to 9.7.1 (#4788)
• Bump com.google.googlejavaformat:google-java-format from 1.23.0 to 1.24.0 (#4786)
• Bump org.xerial.snappy:snappy-java from 1.1.10.6 to 1.1.10.7 (#4738)
• Bump org.gradle.test-retry from 1.5.10 to 1.6.0 (#4736)
• Moves @cliu123 to emeritus status (#4667)
• Add Derek Ho (github: derek-ho) as a maintainer (#4796)
• Add deprecation warning for GET/POST/PUT cache (#4776)
• Fix for: CVE-2024-47554 (#4792)
• Move Stephen to emeritus (#4804)
• Undeprecate securityadmin script (#4768)
• Bump commons-io:commons-io from 2.16.1 to 2.17.0 (#4750)
• Bump org.scala-lang:scala-library from 2.13.14 to 2.13.15 (#4749)
• org.checkerframework:checker-qual and ch.qos.logback:logback-classic to new versions (#4717)
• Add isActionPaginated to DelegatingRestHandler (#4765)
• Refactor ASN1 call (#4740)
• Fix 'integTest' not called with test workflows during release (#4815)
• Fixed bulk index requests in BWC tests and hardened assertions (#4831)

2.17.0.0

Version 2.17.0 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 2.17.0

Enhancements

• Add ignore_hosts config option for auth failure listener (#4538)
• added API roles for correlationAlerts (#4689)
• Allow multiple signing keys to be provided (#4666)
• adding alerting comments security actions to roles.yml (#4700)
• Permission changes for correlationAlerts (#4704)

Bug Fixes

• Addresses a bug with plugins.security.allow_unsafe_democertificates setting (#4603)
• Fix covereage-report workflow (#4684, #4683)
• Handle the audit config being null (#4664)
• Fixes authtoken endpoint (#4631)
• Fixed READ_ACTIONS required by TermsAggregationEvaluator (#4607)
• Sort the DNS Names in the SANs (#4640)

Maintenance

• Bump com.google.errorprone:error_prone_annotations from 2.30.0 to 2.31.0 (#4696)
• Bump org.passay:passay from 1.6.4 to 1.6.5 (#4682)
• Bump spring_version from 5.3.37 to 5.3.39 (#4661)
• Bump commons-cli:commons-cli from 1.8.0 to 1.9.0 (#4659)
• Bump org.junit.jupiter:junit-jupiter from 5.10.3 to 5.11.0 (#4657)
• Bump org.cryptacular:cryptacular from 1.2.6 to 1.2.7 (#4656)
• Update Gradle to 8.10 (#4646)
• Bump org.xerial.snappy:snappy-java from 1.1.10.5 to 1.1.10.6 (#4639)
• Bump com.google.googlejavaformat:google-java-format from 1.22.0 to 1.23.0 (#4622)
• Increment version to 2.17.0-SNAPSHOT (#4615)
• Backports PRs with backport-failed labels that weren't actually backported (#4610)
• Bump io.dropwizard.metrics:metrics-core from 4.2.26 to 4.2.27 (#4660)
• Bump com.netflix.nebula.ospackage from 11.9.1 to 11.10.0 (#4681)
• Interim build fix for PluginSubject related changes (#4694)
• Add Nils Bandener (Github: nibix) as a maintainer (#4673)
• Remove usages of org.apache.logging.log4j.util.Strings (#4653)
• Update backport section of PR template (#4625)
• Bump org.checkerframework:checker-qual from 3.45.0 to 3.46.0 (#4623)
• Refactor security provider instantiation (#4611)

1.3.19.0

Version 1.3.19.0

Compatible with OpenSearch 1.3.19

Maintenance

• Bump org.apache.cxf:cxf-rt-rs-security-jose from 3.5.8 to 3.5.9 (#4579)

2.16.0.0

Version 2.16.0 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 2.16.0

Enhancements

• Add support for PBKDF2 for password hashing & add support for configuring BCrypt and PBKDF2 (#4524)
• Separated DLS/FLS privilege evaluation from action privilege evaluation (#4490)
• Update PULL_REQUEST_TEMPLATE to include an API spec change in the checklist. (#4533)
• Update PATCH API to fail validation if nothing changes (#4530)
• Refactor InternalUsers REST API test (#4481)
• Refactor Role Mappings REST API test (#4450)
• Remove special handling for do_not_fail_on_forbidden on cluster actions (#4486)
• Add Tenants REST API test and partial fix (#4166)
• Refactor Roles REST API test and partial fix #4166 (#4433)
• New algorithm for resolving action groups (#4448)
• Check block request only if system index (#4430)
• Replaced uses of SecurityRoles by Set mappedRoles where the SecurityRoles functionality is not needed (#4432)

Bug Fixes

• Fixed test failures in FlsAndFieldMaskingTests (#4548)
• Typo in securityadmin.sh hint (#4526)
• Fix NPE getting metaFields from mapperService on a close index request (#4497)
• Fixes flaky integration tests (#4452)

Maintenance

• Remove unused dependancy Apache CXF (#4580)
• Remove unnecessary return statements (#4558)
• Refactor and update existing ml roles (#4151)
• Replace JUnit assertEquals() with Hamcrest matchers assertThat() (#4544)
• Update Gradle to 8.9 (#4553)
• Bump org.checkerframework:checker-qual from 3.44.0 to 3.45.0 (#4531)
• Add security analytics threat intel action (#4498)
• Bump kafka_version from 3.7.0 to 3.7.1 (#4501)
• Bump org.junit.jupiter:junit-jupiter from 5.10.2 to 5.10.3 (#4503)
• Bump com.fasterxml.woodstox:woodstox-core from 6.6.2 to 6.7.0 (#4483)
• Bump jjwt_version from 0.12.5 to 0.12.6 (#4484)
• Bump org.eclipse.platform:org.eclipse.core.runtime from 3.31.0 to 3.3.1.100 (#4467)
• Bump spring_version from 5.3.36 to 5.3.37 (#4466)
• Update to Gradle 8.8 (#4459)